A new, radically slimmed down version of the Security Policy Framework was published on 3rd June 2014. In this blog post I summarise the changes and consider what it means in practical terms.
The HMG Security Policy Framework (SPF) describes the standards, best practice guidelines and approaches that are required to protect UK government ICT assets. It is published by the Cabinet Office and available from the gov.uk web site. All UK Government departments are obliged to comply with this policy and, where appropriate, to extend its requirements to their third-party suppliers in both public and private sectors.
On 3rd June 2014 a new version of the SPF was published, dated April 2014 with no identifying version number. The policy document has been considerably slimmed down, being reduced in size from 52 pages to 11 pages, and there is a major shift in emphasis from the previous version 11.0.
What does this mean for Departments, Agencies and third-party suppliers?
The new SPF is much less bureaucratic and prescriptive than the previous version. It is aligned with the Government Classification Scheme. Much of the former content is gone: Security Policy areas 1 – 4 have been removed from the document, as have the 20 Mandatory Requirements. Also missing are the detailed discussions of security controls which were present throughout the previous version and the use of Business Impact Levels (BILs) to denote levels of security has been withdrawn.
Instead, a new set of “Overarching Principles” stresses the need to support HMG’s objectives to work transparently and openly and reinforces the message that digital services are the preferred method for service delivery. Strong emphasis is placed on risk management and it is noted that people and behaviours are fundamental to good security. OFFICIAL information can be managed with good commercial solutions that mitigate the risks faced by any large corporate organisation.
The Mandatory Requirements have been replaced with a set of eight ‘Security Outcomes’ covering the policy areas of Good Governance, Culture and Awareness, Risk Management, Security of Information, Technology and Services, Personnel Security, Physical Security, and Preparing and Responding to Security Incidents.
For each of these areas, there are a small number of detailed policy statements setting out the outcomes that the Cabinet Office expects Departments to be able to achieve.
The Security Outcomes are supported by Policy Priorities, which contain additional guidance for the areas of Information Security, Physical Security and Personnel Security.
Compliance with the new SPF will be asserted by Departments through an annual reporting process, the Security Risk Management Overview (SRMO). The exact form of these SRMO statements is not yet established, but it moves the emphasis away from the checklist approach and instead will require Departments to consider the risks to their assets and protect them appropriately.
Departments can also be expected to pass these outcomes down to their suppliers. The policy requires Government organisations to have arrangements to determine and satisfy themselves that Delivery Partners, service providers and third party suppliers, apply proper security controls too (including List X Accreditation for companies handling SECRET assets.)